Wholocked Ransomware

Posted by Lisa Blanc on July 13, 2020

What is Wholocked Ransomware?

Wholocked Ransomware is the kind of infection that you are likely to remember for a long time if it manages to invade your Windows operating system even after you delete it. This threat is sneaky, and it can attack without you fully realizing it. According to our experts at Anti-Spyware-101.com, files attached to misleading spam emails and RDP vulnerabilities could be used to distribute the infection. If it is successful at invading your system, it should be able to encrypt all of your personal files. Unfortunately, that means that your documents, photos, videos, archives, and other personal files should become unreadable. The encryption key that this malware employs is unique, and free decryptors cannot crack it. Unfortunately, at the time of research, malware researchers had not built a working decryptor either. This means that the victims of this malware are stuck. Can you recover your files by removing Wholocked Ransomware? If only that were the case. While you must get rid of the infection, do not expect that your files will be restored afterward.testtest

How does Wholocked Ransomware work?

Our researchers have analyzed hundreds of file-encrypting infections. Some of the latest ones include Maas Ransomware, Bmtf Ransomware, and BlackKingdom Ransomware. Wholocked Ransomware does not behave like some of the most popular threats, in a sense that it locks the screens of the infected systems. In fact, this is why part of this malware is identified as Trojan.ScreenLocker.B. This part is the malicious .exe file in the %TEMP% directory. Once this malware is in, it immediately encrypts all personal files (the “.wholocked” extension gets attached to their names) and, at the same time, locks the system’s screen. The lock is introduced as a ransom note. Even if you reboot the system to Safe Mode (or Safe Mode with Networking), you should find the ransom note represented as the wallpaper image. The file that is used for that is called “ransom.jpg,” and you should find it in the %USERPROFILE% directory. There is one more file that Wholocked Ransomware drops, and it is called “READ_ME_Heyyyyyyy.txt.” You should find copies of this file in all affected folders, and it presents the same message as the “ransom.jpg” file.

The ransom note introduced by Wholocked Ransomware first informs that files were encrypted. Next, it suggests that a “secret key” is the only thing that can help you restore the files and that only the attackers can provide it to you. To obtain the key, you are instructed to pay a ransom of €300 in Bitcoin to the attackers’ Bitcoin wallet. The address of this wallet is 1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX, and when we checked it, it already had 6 transactions. The total received was 1.362, and that, at the time of research, converted to over $12,600. It is possible that cybercriminals are using this wallet in other attacks. Unfortunately, even though the ransom payment is possible, you are not given any guarantees that you would be given a decryptor by paying it. Wholocked Ransomware was created by cybercriminals, and it is most likely that you cannot trust anything that they promise. Unfortunately, it is unlikely that you can obtain a decryptor by paying the ransom. If your personal files were backed up, you have copies, and you can use them to replace the corrupted files. At this point, this is the only option for file recovery.

How to remove Wholocked Ransomware

Since Wholocked Ransomware is a screen-locker, you might need to reboot your system to Safe Mode. If you are interested in deleting the infection manually, you can try following the instructions below. If you want to use the help of a trusted anti-malware tool, reboot to Safe Mode with Networking instead. Without a doubt, we recommend choosing the latter option because once the tool automatically deletes Wholocked Ransomware, it will continue protecting your operating system against malware. Windows protection is not something you can forget about because there are literally thousands of threats that could try to invade your system. If you do not set up reliable security safeguards, you could have your personal files encrypted again. Of course, even if you secure your system, you want to double down on the security of your personal files, and we strongly advise setting up secure backups for that.

Removal Instructions

  1. Click the Power button to turn on your computer.
  2. On Windows 8, access the Charm bar and click Power Options. On Windows 10, click the Windows icon on the Taskbar and then click Power.
  3. Hold the Shift key on your keyboard and then click Restart.
  4. Open the Troubleshooting menu, select Advanced options, and then go to Startup Settings.
  5. Click Restart and then F4 to enable Safe Mode or F5 to enable Safe Mode with Networking.
  6. Tap keys Windows+R to launch Run and then enter regedit into the dialog box.
  7. In Registry Editor, move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
  8. Delete the value named svñhîst (value data should point to %USERPROFILE%\AppData\Local\Temp\xc.exe).
  9. Tap keys Windows+E to launch File Explorer.
  10. Enter %TEMP% into the quick access field at the top to access the directory.
  11. Delete the files named xc.exe and XVlBzgbaiC.exe (names could be different for you).
  12. Enter %USERPROFILE% into the quick access field at the top.
  13. Delete the file named ransom.jpg.
  14. Enter %USERPROFILE%\AppData\Local\Temp\ into the quick access field at the top
  15. Delete the file named xc.exe (the name could be different for you).
  16. Finally, Delete the READ_ME_Heyyyyyyy.txt file from every affected location.
  17. Empty Recycle Bin and the restart your system back to normal mode.
  18. Install a trusted malware scanner to help you inspect your system for malware leftovers. 100% FREE spyware scan and
    tested removal of Wholocked Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *